oracle identity manager connector guide for sap...

Oracle® Identity ManagerConnector Guide for SAP Enterprise Portal

Release 9.0.4

E10172-01

May 2007

Oracle Identity Manager Connector Guide for SAP Enterprise Portal, Release 9.0.4

E10172-01

Copyright © 2006, 2007, Oracle. All rights reserved.

Primary Author: Deepa Aswani

Contributing Authors: Don Gosselin, Vijaykarthik Sathiyamurthy, Lyju Vadassery

The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.

The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.

If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs.

Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.

iii

Contents

Preface ................................................................................................................................................................. v

Audience....................................................................................................................................................... vDocumentation Accessibility ..................................................................................................................... vRelated Documents ..................................................................................................................................... viDocumentation Updates ............................................................................................................................ viConventions ................................................................................................................................................. vi

What's New in the Oracle Identity Manager Connector for SAP Enterprise Portal? vii

Software Updates ....................................................................................................................................... viiDocumentation-Specific Updates............................................................................................................ viii

1 About the Connector

Reconciliation Module ............................................................................................................................ 1-1Lookup Fields Reconciliation ........................................................................................................... 1-2User Reconciliation ............................................................................................................................ 1-2

Reconciled SAP Enterprise Portal Resource Object Fields ................................................... 1-2Reconciled Xellerate User Fields............................................................................................... 1-3

Provisioning Module ............................................................................................................................... 1-3Supported Functionality ......................................................................................................................... 1-4Multilanguage Support ........................................................................................................................... 1-4Files and Directories That Comprise the Connector ......................................................................... 1-5Determining the Release Number of the Connector......................................................................... 1-6

Before Deployment ............................................................................................................................ 1-6After Deployment .............................................................................................................................. 1-7

2 Deploying the Connector

Step 1: Verifying Deployment Requirements..................................................................................... 2-1Step 2: Copying the Connector Files and External Code Files ........................................................ 2-2

Downloading the Apache Axis JAR Files....................................................................................... 2-4Step 3: Deploying Web Services on the Target System..................................................................... 2-4Step 4: Configuring the Oracle Identity Manager Server................................................................. 2-4

Changing to the Required Input Locale.......................................................................................... 2-4Clearing Content Related to Connector Resource Bundles from the Server Cache ................. 2-5Configuring the sapum.properties File........................................................................................... 2-5

iv

Enabling Logging ............................................................................................................................... 2-5Step 5: Importing the Connector XML File ......................................................................................... 2-7

Defining IT Resources ....................................................................................................................... 2-8Step 6: Configuring the SAP Change Password Function ............................................................ 2-10

3 Configuring the Connector

Configuring Reconciliation.................................................................................................................... 3-1Partial Reconciliation......................................................................................................................... 3-1Configuring Trusted Source Reconciliation ................................................................................... 3-3Configuring the Reconciliation Scheduled Tasks.......................................................................... 3-4

Specifying Values for the Scheduled Task Attributes ........................................................... 3-4Lookup Fields Reconciliation Scheduled Task................................................................ 3-4User Reconciliation Scheduled Task ................................................................................. 3-5

Configuring Provisioning....................................................................................................................... 3-6Configuring the Connector for Multiple Installations of the Target System ............................... 3-7

4 Testing and Troubleshooting

Running Test Cases .................................................................................................................................. 4-1Testing Partial Reconciliation........................................................................................................... 4-2

Troubleshooting........................................................................................................................................ 4-3Connection Errors .............................................................................................................................. 4-4Create User.......................................................................................................................................... 4-4Delete User .......................................................................................................................................... 4-5Modify User ........................................................................................................................................ 4-5Child Data ........................................................................................................................................... 4-6

5 Known Issues

Index

v

Preface

Oracle Identity Manager Connector Guide for SAP Enterprise Portal provides information about integrating Oracle Identity Manager with SAP Enterprise Portal.

AudienceThis guide is intended for users who want to deploy the Oracle Identity Manager connector for SAP Enterprise Portal.

Documentation AccessibilityOur goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at

http://www.oracle.com/accessibility/

Accessibility of Code Examples in DocumentationScreen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in DocumentationThis documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

Note: Some parts of the product and documentation still refer to the original Thor company name and Xellerate product name and will be rebranded in future releases.

vi

TTY Access to Oracle Support ServicesOracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day, seven days a week. For TTY support, call 800.446.2398.

Related DocumentsFor more information, refer to the following documents in the Oracle Identity Manager documentation library:

■ Oracle Identity Manager Release Notes

■ Oracle Identity Manager Installation Guide for JBoss

■ Oracle Identity Manager Installation Guide for Oracle Containers for J2EE

■ Oracle Identity Manager Installation Guide for WebLogic

■ Oracle Identity Manager Installation Guide for WebSphere

■ Oracle Identity Manager Administrative and User Console Guide

■ Oracle Identity Manager Administrative and User Console Customization Guide

■ Oracle Identity Manager Design Console Guide

■ Oracle Identity Manager Tools Reference Guide

■ Oracle Identity Manager Audit Report Developer Guide

■ Oracle Identity Manager Best Practices Guide

■ Oracle Identity Manager Globalization Guide

■ Oracle Identity Manager Glossary of Terms

The following document is available in the Oracle Identity Manager Connector Pack documentation library:

■ Oracle Identity Manager Connector Framework Guide

Documentation UpdatesOracle is committed to delivering the best and most recent information available. For information about updates to the Oracle Identity Manager Connector Pack Release 9.0.4 documentation library, visit Oracle Technology Network at

http://www.oracle.com/technology/documentation/index.html

ConventionsThe following text conventions are used in this document:

Convention Meaning

boldface Boldface type indicates graphical user interface elements associated with an action, or terms defined in text or the glossary.

italic Italic type indicates book titles, emphasis, or placeholder variables for which you supply particular values.

monospace Monospace type indicates commands within a paragraph, URLs, code in examples, text that appears on the screen, or text that you enter.

vii

What's New in the Oracle Identity Manager Connector for SAP Enterprise Portal?

This chapter provides an overview of the updates made to the software and documentation for the SAP Enterprise Portal connector in release 9.0.4 of the Oracle Identity Manager connector pack.

The updates discussed in this chapter are divided into the following categories:

■ Software Updates

These include updates made to the connector software.

■ Documentation-Specific Updates

These include major changes made to the connector documentation. These changes are not related to software updates.

Software UpdatesThis section discusses the following software updates implemented in this release of the connector.

Partial ReconciliationThe CustomizedReconQuery parameter has been added to the IT resource definition. You can use this parameter to customize the query that the reconciliation module uses to determine the records to be retrieved from the target system. The CustomizedReconQuery parameter is explained in the following sections:

■ Defining IT Resources on page 2-8

■ Partial Reconciliation on page 3-1

■ Testing Partial Reconciliation on page 4-2

Changes in the Directory Structure of the Connector Files on the Installation MediaThere are some changes in the directory structure of the testing utility files. These changes have been made in the following sections:

■ Files and Directories That Comprise the Connector section on page 1-5

See Also: The 9.0.3 release of this guide for information about updates that were new for the 9.0.3 release

See Also: Oracle Identity Manager Release Notes

viii

■ Step 1: Verifying Deployment Requirements section on page 2-1

Enabling LoggingBy following the instructions in the "Enabling Logging" section on page 2-5, you can configure the generation of log information that is specific to the target system.

Documentation-Specific UpdatesThe following documentation-specific updates have been made in this release of the guide:

■ Instructions in the "Determining the Release Number of the Connector" section on page 1-6 have been revised.

■ The "Multiple Trusted Reconciliation" section has been removed from the guide.

About the Connector 1-1

1About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. The connector for SAP Enterprise Portal is used to integrate Oracle Identity Manager with SAP Enterprise Portal.

This chapter contains the following sections:

■ Reconciliation Module

■ Provisioning Module

■ Supported Functionality

■ Multilanguage Support

■ Files and Directories That Comprise the Connector

■ Determining the Release Number of the Connector

Reconciliation ModuleReconciliation involves duplicating in Oracle Identity Manager additions of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.

This section discusses the elements that the reconciliation module extracts from the target system to construct reconciliation event records. The following are features of these records:

■ The default data elements of each reconciliation event record are Organization, User Type, and Employee Type.

Note: Oracle Identity Manager connectors were referred to as resource adapters prior to the acquisition of Thor Technologies by Oracle.

Note: At some places in this guide, SAP Enterprise Portal has been referred to as the target system.

See Also: The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Framework Guide for conceptual information about reconciliation configurations

Reconciliation Module

1-2 Oracle Identity Manager Connector Guide for SAP Enterprise Portal

■ The default labels for the data elements in each reconciliation event record are:

– Event Linked (for successful reconciliation)

– No Match Found (for failed reconciliation)

Based on the type of data reconciled from the target system, reconciliation can be divided into the following types:

■ Lookup Fields Reconciliation

■ User Reconciliation

Lookup Fields ReconciliationFor user reconciliation to work, the following lookup definitions must be available and the lookup values must be reconciled:

■ Lookup.SAP.EP.Country

■ Lookup.SAP.EP.Groups

■ Lookup.SAP.EP.Language

■ Lookup.SAP.EP.Roles

■ Lookup.SAP.EP.TimeZone

User ReconciliationUser reconciliation can be divided into the following:

■ Reconciled SAP Enterprise Portal Resource Object Fields

■ Reconciled Xellerate User Fields

Reconciled SAP Enterprise Portal Resource Object FieldsThe following fields are reconciled:

■ Street

■ City

■ State

■ Zip

■ Country

■ TimeZone

■ Department

■ ValidFrom

■ ValidTo

■ Locked

■ UserID

■ Password

■ FirstName

■ LastName

■ EmailID

Provisioning Module


■ Language

■ Telephone

■ Fax

■ Mobile

■ Groups

■ Roles

Reconciled Xellerate User FieldsIf trusted source reconciliation is implemented, then the following additional fields are reconciled:

■ UserID

■ Password

■ FirstName

■ LastName

■ EmailID

■ Organization

■ User Type

■ Employee Type

■ Valid From

■ Valid To

Provisioning ModuleProvisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. You use the Administrative and User Console to perform provisioning operations.

For this target system, the following fields are provisioned:

■ User ID

■ Password

■ First Name

■ Last Name

■ Email ID

■ ValidFrom

■ ValidTo

See Also: The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Framework Guide for conceptual information about provisioning

Supported Functionality


Supported FunctionalityThe following table lists the functions that are available with this connector.

Multilanguage SupportThis release of the connector supports the following languages:

■ Chinese Simplified

■ Chinese Traditional

■ English

■ French

Note: If you create a user in Oracle Identity Manager and do not assign a role to the user, then the user would not be able to view any Portal content after logging in to SAP Enterprise Portal.

Function Type Description

Create User Provisioning Creates a user in the SAP Enterprise Portal system

Update User Provisioning Updates a user in the SAP Enterprise Portal system

Delete User Provisioning Deletes a user from the SAP Enterprise Portal system

Reset Password Provisioning Updates the user password in the SAP Enterprise Portal system

Lock User Provisioning Locks a user in the SAP Enterprise Portal system

UnLock User Provisioning Unlocks a locked user in the SAP Enterprise Portal system

Add Role Provisioning Adds a role to a user in the SAP Enterprise Portal system

Add Group Provisioning Adds a group to a user in the SAP Enterprise Portal system

Remove Role Provisioning Removes the role of a user in the SAP Enterprise Portal system

Remove Group Provisioning Removes a group from a user in the SAP Enterprise Portal system

List Roles of User Provisioning Lists the roles of a user in the SAP Enterprise Portal system

List Groups of User Provisioning Lists the groups of a user in the SAP Enterprise Portal system

List All Roles Provisioning Lists all the roles defined in the SAP Enterprise Portal system

List All Groups Provisioning Lists all the groups defined in the SAP Enterprise Portal system

Reconciliation Insert Received

Reconciliation Inserts into Oracle Identity Manager the user that is created in the SAP Enterprise Portal system

Reconciliation Update Received

Reconciliation Updates in Oracle Identity Manager the user that is updated in the SAP Enterprise Portal system

Reconciliation Delete Received

Reconciliation Deletes from Oracle Identity Manager the user that is deleted from the SAP Enterprise Portal system

Files and Directories That Comprise the Connector


■ German

■ Italian

■ Japanese

■ Korean

■ Portuguese (Brazilian)

■ Spanish

Files and Directories That Comprise the ConnectorThe files and directories that comprise this connector are in the following directory on the installation media:

Enterprise Applications/SAP Enterprise Portal

These files and directories are listed in the following table.

See Also: Oracle Identity Manager Globalization Guide for information about supported special characters

File in the Installation Media Directory Description

The sapum.properties file inside the lib/properties directory

This file contains the connection parameters required to connect to the SAP Enterprise Portal server. The location of this file is given in the SAPUMLocation parameter of the IT resource defined for SAP Enterprise Portal.

The lib/properties directory also contains the following files:

dataSourceConfiguration.dtddataSourceConfiguration_database_only.xmldataSourceConfiguration_PCDRoles.xmldataSourceConfiguration_UMERoles.xml

These files are supportive files for the sapum.properties file. They must be copied into the directory in which the sapum.properties file is copied.

lib/SAP_EP_jar/servicelistener.jar During provisioning, this JAR file is used to ensure that changes to the role attribute of the user are correctly passed on to SAP EP. During reconciliation, this JAR file is used to ensure that changes to the group attribute are correctly passed on to Oracle Identity Manager.

lib/SAPEPConnector.jar This is the connector code JAR file.

par/ConnectorService.par This file is used for calling Web Services on the SAP Enterprise Portal system.

Files in the resources directory Each of these resource bundle files contains language-specific information that is used by the connector.

Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console.

test/Troubleshoot/TroubleShootUtility.class This utility is used to test connector functionality.

test/Troubleshoot/global.properties This file is used to specify the parameters and settings required to connect to the target system by using the testing utility.

Determining the Release Number of the Connector


The "Step 2: Copying the Connector Files and External Code Files" section on page 2-2 provides instructions to copy these files into the required directories.

Determining the Release Number of the ConnectorYou can use any one of the following methods to determine the release number of the connector.

Before DeploymentTo determine the release number of a connector:

1. Extract the contents of the SAPEPConnector.jar file. This file is in the following directory on the installation media:

Enterprise Applications/SAP Enterprise Portal/lib

2. Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the SAPEPConnector.jar file.

In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.

test/Troubleshoot/log.properties This file is used to specify the log level and the directory in which the log file is to be created when you run the testing utility.

xml/SAPEPResourceObject.xml This XML file contains definitions for the following components of the connector:

■ IT resource definition

■ SAP User form

■ Lookup definitions

■ Adapters

■ Resource object

■ Process definition

■ Reconciliation scheduled tasks

xml/SAPEPXLResourceObject.xml This XML file contains the configuration for the Xellerate User. You must import this file only if you plan to use the connector in trusted source reconciliation mode.

Note: The files in the test directory are used only to run tests on the connector.

Note: If you maintain a copy of the SAPEPConnector.jar file after deployment, you can use this method to determine the release number of the connector at any stage. After you deploy the connector, it is recommended that you use the "After Deployment" method, which is described in the following section.

File in the Installation Media Directory Description



After DeploymentTo determine the release number of a connector that has already been deployed:

1. Open the Oracle Identity Manager Design Console.

2. In the Form Designer, open the process form. The release number of the connector is the value of the Version field.

See Also: Oracle Identity Manager Design Console Guide

Deploying the Connector 2-1

2Deploying the Connector

Deploying the connector involves the following steps:

■ Step 1: Verifying Deployment Requirements

■ Step 2: Copying the Connector Files and External Code Files

■ Step 3: Deploying Web Services on the Target System

■ Step 4: Configuring the Oracle Identity Manager Server

■ Step 5: Importing the Connector XML File

■ Step 6: Configuring the SAP Change Password Function

Step 1: Verifying Deployment RequirementsThe following table lists the deployment requirements for the connector.

Item Requirement

Oracle Identity Manager Oracle Identity Manager release 8.5.3 or later

Target systems SAP Enterprise Portal 6.0

Infrastructure requirements ■ SAP Enterprise Portal 6.0 running on SAP Web Application Server (WAS) 6.2

■ SAP User Management Engine (UME) 4.0 APIs should be available on the SAP Enterprise Portal 6.0

■ Apache Axis Web Services Framework 1.3

External code Apache Axis JAR files

These are listed in the "Files and Directories That Comprise the Connector" section on page 1-5.

Step 2: Copying the Connector Files and External Code Files


Step 2: Copying the Connector Files and External Code FilesThe connector files and external code files to be copied and the directories to which you must copy them are given in the following table.

Target system user account Create a user account, and assign the following roles to it:

■ super_admin_role

■ com.sap.pdk.JavaDeveloper

The second role gives the rights to deploy the agent on the target system. For this connector, the agent is the ConnectorService.par file.

Refer to "Configuring the sapum.properties File" section on page 2-5 for information about how this user account is used.

If the specified roles are not assigned to this user account, then Oracle Identity Manager cannot connect to the target system.

Note: The connector files listed in the first column of this table are in the following directory on the installation media:

Enterprise Applications/SAP Enterprise Portal

Refer to the "Files and Directories That Comprise the Connector" section on page 1-5 for more information about these files.

Connector File/External Code File Destination Directory

Files in the lib directory OIM_home/Xellerate/SAP_EP/lib

lib/SAP_EP_jar/servicelistener.jar OIM_home/Xellerate/JavaTasks

In addition, copy this file into the lib directory inside the SAP Enterprise Portal connector deployment directory as shown in the following sample directory path:

D:/usr/sap/EP6J/j2ee/j2ee_00/cluster/server/services/servlet_jsp/work/jspTemp/irj/root/WEB-INF/portal/lib

par/ConnectorService.par Refer to the "Step 3: Deploying Web Services on the Target System" section on page 2-4.

Files in the resources directory OIM_home/xellerate/connectorResources

Files in the test directory OIM_home/Xellerate/SAP_EP/test

Files in the xml directory OIM_home/Xellerate/SAP_EP/xml

Item Requirement

Step 2: Copying the Connector Files and External Code Files


The following files from the OIM_home/xellerate directory:

prtapi.jarprtconnection.jarprtcoreservice.jarprtdeploymentapi.jarprtjsp_api.jarprttest.jar

Copy these files into the lib directory inside the SAP Enterprise Portal connector deployment directory as shown in the following sample directory path:

D:/usr/sap/EP6J/j2ee/j2ee_00/cluster/server/services/servlet_jsp/work/jspTemp/irj/root/WEB-INF/portal/.lib

The following files from the SAP EP installation directory:

BaseComps.jarcom.sap.portal.pcd.basicrolefactoryapi.jarcom.sap.portal.pcd.glserviceapi.jarcom.sap.portal.pcd.umwrapperserviceapi.jarcom.sap.portal.pcmbuilderserviceapi.jarcom.sap.portal.usermanagementcore.jarcom.sap.security.api.jarcom.sap.security.api.perm.jarcom.sap.security.core.jarconnector.jarexception.jarj2ee.jarjARM.jarJta.jarLogging.jarP9base.jarP9oracle.jarP9util.jarpcdglstandalone.jarprtapi.jarprtjndisupport.jarprtregistry.jarsapj2eeclient.jarumeuseradminbase.jarutil.jar

OIM_home/Xellerate/JavaTasks

The following files from the Apache Web site at

http://ws.apache.org/axis/

axis.jarjaxrpc.jarcommons-logging.jarcommons-discovery.jar

See Also: The "Downloading the Apache Axis JAR Files" section on page 2-4 for more information.

OIM_home/Xellerate/JavaTasks

Note: While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the connectorResources directory and the JAR files to the corresponding directories on each node of the cluster.

Connector File/External Code File Destination Directory

Step 3: Deploying Web Services on the Target System


Downloading the Apache Axis JAR FilesDownload the Apache Axis JAR files that are required for SOAP communication with the Web service running on the SAP Enterprise Portal 6.0 server. The version of Axis used is axis-1_3. You can download the JAR files from

http://ws.apache.org/axis/

You must copy these JAR files into the JavaTasks directory of Oracle Identity Manager. In a clustered environment, you must copy these JAR files into the JavaTasks directory of each node of the cluster.

Step 3: Deploying Web Services on the Target SystemTo be able to use Web services with the SAP Enterprise Portal connector, you must deploy the ConnectorService.par file as follows:

1. Log in to SAP Enterprise Portal as the administrator.

2. Click the Java Development tab, the Development secondary tab, and then Component Manager.

3. In the Archive Uploader region, browse to the ConnectorService.par file, and then click Upload. After the file is uploaded, an INFO message is displayed.

4. From the list in the Archive Deployment Checker region, select WSPortlet, and then click Refresh.

Step 4: Configuring the Oracle Identity Manager Server

Configuring the Oracle Identity Manager server involves performing the following procedures:

■ Changing to the Required Input Locale

■ Clearing Content Related to Connector Resource Bundles from the Server Cache

■ Configuring the sapum.properties File

■ Enabling Logging

Changing to the Required Input LocaleChanging to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

You may require the assistance of the system administrator to change to the required input locale.

Note: In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

Note: In a clustered environment, you must perform this step on each node of the cluster.



Clearing Content Related to Connector Resource Bundles from the Server CacheWhile performing the instructions described in the "Step 2: Copying the Connector Files and External Code Files" section on page 2-2, you copy files from the resources directory on the installation media into the OIM_home/xellerate/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, change to the OIM_home/xellerate/bin directory.

2. Enter one of the following commands:

■ On Microsoft Windows:

PurgeCache.bat ConnectorResourceBundle

■ On UNIX:

PurgeCache.sh ConnectorResourceBundle

In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:

OIM_home/xellerate/config/xlConfig.xml

Configuring the sapum.properties FileThe sapum.properties file is in the OIM_home/Xellerate/SAP_EP/lib directory. To configure this file, first open it in a text editor and then specify values for the parameters in the Database Settings section of the file.

If the data source used by SAP EP is SAP R3 or LDAP, then you must specify values for the parameters listed in the corresponding section of the sapum.properties file.

Enabling LoggingWhen you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

■ ALL

This level enables logging for all events.

Note: You must perform Step 1 before you perform Step 2. If you run the command described in Step 2 as follows, then an exception is thrown:

OIM_home/xellerate/bin/batch_file_name

Note: You can ignore the exception that is thrown when you perform Step 2.



■ DEBUG

This level enables logging of information about fine-grained events that are useful for debugging.

■ INFO

This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.

■ WARN

This level enables logging of information about potentially harmful situations.

■ ERROR

This level enables logging of information about error events that may still allow the application to continue running.

■ FATAL

This level enables logging of information about very severe error events that could cause the application to stop functioning.

■ OFF

This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

■ BEA WebLogic

To enable logging:

1. Add the following lines in the OIM_home/xellerate/config/log.properties file:

log4j.logger.XELLERATE=log_levellog4j.logger.XL_INTG.SAPEPCONNECTOR=log_level

2. In these lines, replace log_level with the log level that you want to set.

For example:

log4j.logger.XELLERATE=INFOlog4j.logger.XL_INTG.SAPEPCONNECTOR=INFO

After you enable logging, the log information is written to the following file:

WebLogic_home/user_projects/domains/domain_name/server_name/server_name.log

■ IBM WebSphere

To enable logging:




For example:


Step 5: Importing the Connector XML File



WebSphere_home/AppServer/logs/server_name/startServer.log

■ JBoss Application Server

To enable logging:

1. In the JBoss_home/server/default/conf/log4j.xml file, locate or add the following lines:

<category name="XELLERATE"> <priority value="log_level"/></category>

<category name="XL_INTG.SAPEPCONNECTOR"> <priority value="log_level"/></category>

2. In the second XML code line of each set, replace log_level with the log level that you want to set. For example:

<category name="XELLERATE"> <priority value="INFO"/></category>

<category name="XL_INTG.SAPEPCONNECTOR"> <priority value="INFO"/></category>


JBoss_home/server/default/log/server.log

■ OC4J

To enable logging:




For example:



OC4J_home/opmn/logs/default_group~home~default_group~1.log

Step 5: Importing the Connector XML FileAs mentioned in the "Files and Directories That Comprise the Connector" section on page 1-5, the connector XML file contains definitions of the components of the connector. By importing the connector XML file, you create these components in Oracle Identity Manager.

To import the connector XML file into Oracle Identity Manager:



1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

4. Locate and open the SAPEPResourceObject.xml file, which is in the OIM_home/Xellerate/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Next. The Provide IT Resource Instance Data page for the SAP EP IT Resource IT resource is displayed.

8. Specify values for the parameters of the SAP EP IT Resource IT resource. Refer to the "Defining IT Resources" section on page 2-8 for information about the values to be specified.

9. If you want to configure the connector for another instance of the target system, then:

a. Click Next. The Provide IT Resource Instance Data page for a new instance of the SAP EP IT Resource IT resource type is displayed.

b. To define an IT resource for the next instance of the target system, first assign a name to the new IT resource on this page. Then, refer to the "Defining IT Resources" section on page 2-8 for information about the values to be specified for the parameters of the new IT resource.

Repeat Steps a and b for the remaining instances of the target system.

10. Click Skip after you define IT resources for all the instances of the target system. The Confirmation page is displayed.

11. Click View Selections.

The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. These nodes represent Oracle Identity Manager entities that are redundant. Before you import the connector XML file, you must remove these entities by right-clicking each node and then selecting Remove.

12. Click Import. The connector XML file is imported into Oracle Identity Manager.

After you import the connector XML file, proceed to the "Step 6: Configuring the SAP Change Password Function" section on page 2-10.

Defining IT ResourcesYou must specify values for the SAP EP IT resource parameters listed in the following table.

Note: The connector version is also displayed on this page.

See Also: Oracle Identity Manager Tools Reference Guide



Parameter Description

SAPUMLocation This parameter holds the location of the sapum.properties file. This file contains information to connect to the target SAP EP system.

Sample value: OIM_home/Xellerate/SAP_EP/lib

TimeStamp For the first reconciliation run, the time-stamp value is not set. For subsequent rounds of reconciliation, the time at which the previous round of reconciliation was completed is stored in this parameter.

The following are sample timestamp values:

■ English: Jun 01, 2006 at 10:00:00 GMT+05:30

■ French: juil. 01, 2006 at 10:00:00 GMT+05:30

■ Japanese: 6 01, 2006 at 10:00:00 GMT+05:30

WSDLLocation This parameter holds the location of the WSDL URL, where the Web service is running in SAP Enterprise Portal 6.0.

For example:

To determine the WSDL URL:

1. Log in to SAP EP as an administrator.

2. Click the System Administration tab.

3. Click the Support tab.

4. Select Portal Runtime in the Top Level Areas region.

The Portal Support Desk: Portal Runtime page is displayed.

5. On this page, click SOAP Admin in the Test and Configuration Tools region.

The SOAP Administration page is displayed.

6. On this page, select Web Services.

All the Web Services are displayed.

7. Click com.sap.portal.prt.soap.ConnectorService.

All the WSDL files are displayed.

8. Click the Present link next to RPC Literal.

An XML file is opened.

9. In the XML file, search for the tag that starts with the following text:

<soap:address location=

This tag holds the WSDL URL of the Web service. For example:

<soap:address location="http://mlbpsap02:50000/irj/servlet/prt/soap/com.sap.portal.prt.soap.ConnectorService?style=rpc_lit" />

10. Enter the WSDL URL as the value of the WSDLLocation parameter.

Step 6: Configuring the SAP Change Password Function


After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.

Step 6: Configuring the SAP Change Password FunctionYou can configure the Change Password function to modify password behavior in scenarios such as when a user profile on the target system gets locked or expires. For such scenarios, you can configure the system so that the administrator is not able to reset the password for a locked or expired user profile. This helps prevent discrepancies between data in Oracle Identity Manager and the target system.

To configure the Change Password function:


2. Expand the Process Management folder.

3. Open the Process Definition form.

4. Select the SAP EP Process process definition.

5. Double-click the Password Updated task.

6. On the Integration tab, specify values for the following parameters:

■ ValidityChange: You can specify either true or false.

– True: If the user's validity period has expired, then it is extended to the date specified in the ValidTo parameter.

– False: If the user's validity period has expired, then it does not extend the validity and the user's password cannot be changed.

■ lockChange: You can specify either true or false.

– True: If the user is locked but not by the administrator, then the user is unlocked before the change of password. If the user is locked by the administrator, then the password cannot be changed.

– False: If the user is locked, then the password cannot be changed.

■ ValidTo: Date to which the user's validity must be extended. The date format must be as follows:

Apr 1 10 11:18:29 AM

CustomizedReconQuery Query condition on which reconciliation must be based

If you specify a query condition for this parameter, then the target system records are searched based on the query condition.

If you want to reconcile all the target system records, then do not specify a value for this parameter.

The query can be composed with the AND (&) and OR (|) logical operators.

Sample value: firstname=John

For more information about this parameter, refer to the "Partial Reconciliation" section on page 3-1.

See Also: Oracle Identity Manager Design Console Guide

Parameter Description



If this field is left empty, then the value is set to 1970-01-01, which is the default date.

Note: The values specified are case-sensitive and must match the case in the SAP system.

Configuring the Connector 3-1

3Configuring the Connector

After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:

Configuring ReconciliationAs mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager additions of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

■ Partial Reconciliation

■ Configuring Trusted Source Reconciliation

■ Configuring the Reconciliation Scheduled Tasks

Partial ReconciliationBy default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

For this connector, you create a filter by specifying values for the CustomizedReconQuery IT resource parameter while performing the procedure described in the "Defining IT Resources" section on page 2-8.

The following table lists the SAP Enterprise Portal attributes that you can use to build the query condition. You specify this query condition as the value of the CustomizedReconQuery parameter.

Note: These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

SAP EP Attribute Oracle Identity Manager Attribute

uniquename UserID

firstname FirstName

lastname LastName

department Department

Configuring Reconciliation


The following are sample query conditions:

■ firstname=John&lastname=Doe

With this query condition, records of users whose first name is John and last name is Doe are reconciled.

■ firstname=John&lastname=Doe|[email protected]

With this query condition, records of users who meet either of the following conditions are reconciled:

– The user's first name is John or last name is Doe.

– The user's e-mail address is [email protected].

If you do not specify values for the CustomizedReconQuery parameter, then all the records in the target system are compared with existing Oracle Identity Manager records during reconciliation.

You must apply the following guidelines while specifying a value for the CustomizedReconQuery parameter:

■ For the SAP Enterprise Portal attributes, you must use the same case (uppercase or lowercase) as given in the table shown earlier in this section. This is because the attribute names are case-sensitive.

■ You must not include unnecessary blank spaces between operators and values in the query condition.

A query condition with spaces separating values and operators would yield different results as compared to a query condition that does not contain spaces between values and operators. For example, the output of the following query conditions would be different:

firstname=John&lastname=Doe

firstname= John&lastname= Doe

In the second query condition, the reconciliation engine would look for first name and last name values that contain a space at the start.

email EmailID

telephone Telephone

mobile Mobile

fax Fax

streetaddress Street

city City

zip Zip

country Country

state State

locale Language

timezone TimeZone

Groups Groups

Roles Roles

SAP EP Attribute Oracle Identity Manager Attribute



■ You must not include special characters other than the equal sign (=), ampersand (&), and vertical bar (|) in the query condition.

■ To specify multiple roles and groups in the query, roles and groups must be provided with the comma separator.

You specify a value for the CustomizedReconQuery parameter while performing the procedure described in the "Defining IT Resources" section on page 2-8.

Configuring Trusted Source ReconciliationWhile configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then both newly created and modified user accounts are reconciled in Oracle Identity Manager. If you designate the target system as a target resource, then only modified user accounts are reconciled in Oracle Identity Manager.

Configuring trusted source reconciliation involves the following steps:

1. Import the XML file for trusted source reconciliation, SAPEPXLResourceObject.xml, by using the Deployment Manager. This section describes the procedure to import the XML file.

2. Set the IsTrustedSource scheduled task attribute to True. You specify a value for this attribute while configuring the user reconciliation scheduled task, which is described later in this guide.

To import the XML file for trusted source reconciliation:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

4. Locate and open the SAPEPXLResourceObject.xml file, which is in the OIM_home/Xellerate/SAP_EP/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Import.

8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

After you import the XML file for trusted source reconciliation, you must set the value of the IsTrustedSource reconciliation scheduled task attribute to True. This procedure is described in the "Configuring the Reconciliation Scheduled Tasks" section on page 3-4.

Note: An exception is thrown if you include special characters other than the equal sign (=), ampersand (&), and vertical bar (|).

Note: You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.



Configuring the Reconciliation Scheduled TasksWhen you perform the procedure described in the "Step 5: Importing the Connector XML File" section on page 2-7, the scheduled tasks for lookup fields and user reconciliations are automatically created in Oracle Identity Manager. To configure the scheduled task:


2. Expand the Xellerate Administration folder.

3. Select Task Scheduler.

4. Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.

5. For the first scheduled task, enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task.

6. Ensure that the Disabled and Stop Execution check boxes are not selected.

7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.

8. In the Interval region, set the following schedule parameters:

■ To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.

■ To set the task to run only once, select the Once option.

9. Provide values for the attributes of the scheduled task. Refer to the "Specifying Values for the Scheduled Task Attributes" section on page 3-4 for information about the values to be specified.

10. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

11. Repeat Steps 5 through 10 to create the second scheduled task.

After you create both scheduled tasks, proceed to the "Configuring Provisioning" section on page 3-6.

Specifying Values for the Scheduled Task AttributesThis section provides information about the values to be specified for the following scheduled tasks:

■ Lookup Fields Reconciliation Scheduled Task

■ User Reconciliation Scheduled Task

Lookup Fields Reconciliation Scheduled Task You must specify values for the following attributes of the SAPEP LookupRecon lookup fields reconciliation scheduled task.

See Also: Oracle Identity Manager Design Console Guide for information about adding and removing task attributes



After you specify values for the task attributes, proceed to Step 10 of the procedure to create scheduled tasks.

User Reconciliation Scheduled Task You must specify values for the following attributes of the SAPEP UserRecon user reconciliation scheduled task.

Note:

■ Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

■ Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute Description Sample Value

ITResource Name of the IT resource for setting up a connection to SAP Enterprise Portal

SAP EP IT Resource

Note:

■ Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

■ Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.


Organization Default organization assigned to a new user OIM Users

Xellerate Type Default type assigned to a new user End-User Administrator

Role Default employee type assigned to a new user

Consultant

ITResource Name of the IT resource for setting up a connection with SAP

SAP EP IT Resource

ResourceObject Name of the resource object that is used for user reconciliation

SAP EP Resource Object

IsTrustedSource Configuration for trusted/nontrusted target

If it is set to True, then it is a trusted target. If it is set to False, then the target is a nontrusted target. By default, the value is false.

False

Configuring Provisioning


After you specify values for these task attributes, proceed to Step 10 of the procedure to create scheduled tasks.

Stopping ReconciliationSuppose the User Reconciliation Scheduled Task for the connector is running and user records are being reconciled. If you want to stop the reconciliation process:

1. Perform Steps 1 through 4 of the procedure to configure reconciliation scheduled tasks.

2. Select the Stop Execution check box in the task scheduler.

3. Click Save.

Configuring ProvisioningAs mentioned earlier in this guide, provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. Refer to the "Supported Functionality" section on page 1-4 for a listing of the provisioning functions that are available with this connector.

Adapters are used to implement provisioning functions. The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

■ SAP EP Remove Role

■ SAP EP Remove Group

■ SAP EP Password Change

■ SAP EP Modify User Date

FirstTimeReconRecords Number of records to be fetched during first-time reconciliation, if the reconciliation scheduled task times out

Initially, Oracle Identity Manager tries to fetch all the records. If the process times out, then Oracle Identity Manager tries to fetch the number of records specified by this parameter. If the task times out even before this number of records are fetched, then Oracle Identity Manager tries to fetch records by recursively dividing this number by two, until all records are fetched from the target system.

5000

XLDeleteUsersAllowed Flag that specifies whether or not users are to be deleted in Oracle Identity Manager during user reconciliation

False

Note: You must perform the procedure described in this section if you want to use the provisioning features of the connector.

See Also: The "Supported Functionality" section on page 1-4 for a listing of the provisioning functions that are available with this connector


Configuring the Connector for Multiple Installations of the Target System


■ SAP EP Modify User

■ SAP EP Delete User

■ SAP EP Create User

■ SAP EP Add Role

■ SAP EP Add Group

■ SAP EP Lock UnLock User

■ PrePopulate SAP EP Form

You must compile these adapters before they can be used in provisioning operations.

To compile adapters by using the Adapter Manager form:

1. Open the Adapter Manager form.

2. To compile all the adapters that you import into the current database, select Compile All.

To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.

3. Click Start. Oracle Identity Manager compiles the selected adapters.

4. If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_home/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

If you want to compile one adapter at a time, then use the Adapter Factory form.

To view detailed information about an adapter:

1. Highlight the adapter in the Adapter Manager form.

2. Double-click the row header of the adapter, or right-click the adapter.

3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.


You may want to configure the connector for multiple installations of SAP Enterprise Portal. The following example illustrates this requirement:

Note: Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have an OK compilation status.

See Also: Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager forms

Note: Perform this procedure only if you want to configure the connector for multiple installations of SAP Enterprise Portal.



The Tokyo, London, and New York offices of Acme Multinational Inc. have their own installations of SAP Enterprise Portal. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of SAP Enterprise Portal.

To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of SAP Enterprise Portal.

To configure the connector for multiple installations of the target system:

1. Create and configure one resource object for each target system installation.

The Resource Objects form is in the Resource Management folder. The SAP EP Resource Object resource object is created when you import the connector XML file. You can use this resource object as the template for creating the remaining resource objects.

2. Create and configure one IT resource for each resource object.

The IT Resources form is in the Resource Management folder. The SAP EP IT Resource IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.

3. Design one process form for each process definition.

The Form Designer form is in the Development Tools folder. The following process forms are created when you import the connector XML file:

■ UD_SAPEP (parent form)

■ UD_SAPEPROL (child form for multivalue attributes)

■ UD_SAPEPGP (child form for multivalue attributes)

You can use these process forms as templates for creating the remaining process forms.

4. Create and configure one process definition for each resource object.

The Process Definition form is in the Process Management folder. The SAP EP Process process definition is created when you import the connector XML file. You can use this process definition as the template for creating the remaining process definitions.

While creating process definitions for each target system installation, the following steps that you must perform are specific to the creation of each process definition:

■ From the Object Name lookup field, select the resource object that you create in Step 1.

■ From the Table Name lookup field, select the process form that you create in Step 3.

■ While mapping the adapter variables for the IT Resource data type, ensure that you select the IT resource that you create in Step 2 from the Qualifier list.

5. Configure reconciliation for each target system installation. Refer to the "Configuring Reconciliation" section on page 3-1 for instructions. Note that only the values of the following attributes are to be changed for each reconciliation scheduled task:

See Also: Oracle Identity Manager Design Console Guide for detailed instructions on performing each step of this procedure



■ ITResource

■ ResourceObject

■ IsTrustedSource

Set the IsTrustedSource attribute to True for the SAP Enterprise Portal installation that you want to designate as a trusted source.

6. If required, modify the fields to be reconciled for the Xellerate User resource object.

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the SAP Enterprise Portal installation to which you want to provision the user.

Testing and Troubleshooting 4-1

4Testing and Troubleshooting

After you deploy the connector, you must test it to ensure that it functions as expected. This chapter discusses the following topics related to connector testing:

■ Running Test Cases

■ Troubleshooting

Running Test CasesYou can use the testing utility to identify the cause of problems associated with connecting to the target system and performing basic operations on the target system.

To use the testing utility:

1. Specify the required values in the global.properties file.

This file is in the OIM_home/Xellerate/SAP_EP/test/Troubleshoot directory. The following table describes the sections of this file in which you must provide information for running the tests.

2. Add all the JAR files mentioned in the "Step 2: Copying the Connector Files and External Code Files" section on page 2-2 to the CLASSPATH environment variable. In addition, you need to add the JAR files in the following directories to the CLASSPATH environment variable:

Sample commands for setting the CLASSPATH environment variable is given in the global.properties file.

OIM_home/xellerate/libOIM_home/xellerate/ext

Section Information

SAP Enterprise Portal connection Parameters

Connection parameters required to connect to the target system

Refer to the "Defining IT Resources" section on page 2-8 for information about the values that you must provide.

Create User Parameters Field information required to create a user profile

Modify User Parameters This covers multiple sections of parameters that are used to modify user profile information.

Delete User Parameters Field information required to delete a user profile

Reconciliation information The From Date time stamp

The To Date is set to the current date and time by default.

Running Test Cases


3. Create an ASCII-format copy of the global.properties file as follows:

a. In a command window, change to the following directory:

OIM_home/Xellerate/sapep/test/Troubleshoot

b. Enter the following command:

native2ascii global.properties troubleshoot.properties

The troubleshoot.properties is created when you run the native2ascii command. The contents of this file are an ASCII-format copy of the contents of the global.properties file.

4. Perform the following tests:

■ Enter the following command to create a user:

java -DTproperties=OIM_home/Xellerate/SAP_EP/test/Troubleshoot/troubleShoot.properties -Dlog4j.configuration=file:/OIM_home/Xellerate/SAP_EP/test/Troubleshoot/log.properties troubleshoot.TroubleShootUtility C

■ Enter the following command to modify a user:

java -DTproperties=OIM_home/Xellerate/SAP_EP/test/Troubleshoot/troubleShoot.properties -Dlog4j.configuration=file:/OIM_home/Xellerate/SAP_EP/test/Troubleshoot/log.properties troubleshoot.TroubleShootUtility M

■ Enter the following command to delete a user:

java -DTproperties=OIM_home/Xellerate/SAP_EP/test/Troubleshoot/troubleShoot.properties -Dlog4j.configuration=file:/OIM_home/Xellerate/SAP_EP/test/Troubleshoot/log.properties troubleshoot.TroubleShootUtility D

■ Enter the following command to test reconciliation:

java -DTproperties=OIM_home/Xellerate/SAP_EP/test/Troubleshoot/troubleShoot.properties -Dlog4j.configuration=file:/OIM_home/Xellerate/SAP_EP/test/Troubleshoot/log.properties troubleshoot.TroubleShootUtility R

Testing Partial ReconciliationTo test query-based reconciliation, you can specify the following types of query conditions as values for the CustomizedReconQuery parameter:

■ Simple query with user attributes

Value assigned to the CustomizedReconQuery parameter: firstname=John

Note: You must perform this procedure every time you make a change in the contents of the global.properties file.

Troubleshooting


The users with first name John are reconciled.

■ Query consisting of '&' and '|' logical operators

Value assigned to the CustomizedReconQuery parameter: firstname=John&lastname=Doe|[email protected]

The users with first name John, the users with last name Doe, and the users with email id [email protected] are reconciled.

■ Query consisting of logical operators and groups

Value assigned to the CustomizedReconQuery parameter: firstname=John&lastname=Doe|[email protected]&Groups=group01

The user with first name John, last name Doe, and email id [email protected] is reconciled only if the user belongs to the group01 group.

■ Query consisting of logical operators and roles

Value assigned to the CustomizedReconQuery parameter: firstname=John&lastname=Doe|[email protected]&Roles= pcd:portal_content/mycompany/RL_DEMO

The users with first name John and last name Doe, and the users with email id [email protected] are reconciled only if the users belong to the pcd:portal_content/mycompany/RL_DEMO role.

■ Query consisting of logical operators and lookup code

Value assigned to the CustomizedReconQuery parameter: firstname=John&lastname=Doe|[email protected]&country=US

The users with first name John and last name Doe, and the users with email id [email protected], who are located in the United States of America, are reconciled.

■ Query consisting of roles only

Value assigned to the CustomizedReconQuery parameter: Roles= pcd:portal_content/mycompany/RL_DEMO, pcd:portal_content/mycompany/ROLESP

The users who belong to both the pcd:portal_content/mycompany/RL_DEMO and pcd:portal_content/mycompany/ROLESP roles are reconciled.

■ Query consisting of groups only

Value assigned to the CustomizedReconQuery parameter: Groups= group01, group02

The users who belong to both the group01 and group02 groups are reconciled.

TroubleshootingThe following sections list solutions to some commonly encountered issues associated with this connector:

■ Connection Errors

■ Create User

Troubleshooting


■ Delete User

■ Modify User

■ Child Data

Connection ErrorsThe following table lists solutions to some commonly encountered connection errors.

Create UserThe following table lists solutions to some commonly encountered Create User errors.

Problem Description Solution

Oracle Identity Manager cannot establish a connection to SAP Enterprise Portal.

Returned Error Message:

SAP Connection exception

Returned Error Code:

INVALID_CONNECTION_ERROR

■ Ensure that SAP Enterprise Portal is running and that the sapum.properties file has been correctly configured.

■ Ensure that Oracle Identity Manager is running (that is, the database is running).

■ Ensure that all the adapters have been compiled.

■ Examine the Oracle Identity Manager record (from the IT Resources form). Ensure that the IP address, admin ID, and admin password are correct.

Target not available


Target Server not available

Connection error - unable to create SAP Enterprise Portal Connection.


TARGET_UNAVAILABLE_ERROR

■ Ensure that SAP Enterprise Portal is running.

■ Ensure that the specified SAP Enterprise Portal connection values are correct.

Authentication error


Authentication error


AUTHENTICATION_ERROR

Ensure that the specified SAP Enterprise Portal connection user ID and password are correct.


Oracle Identity Manager cannot create a user


Required information missing


SAPEP.INSUFFICIENT_INFORMATION

Ensure that the following information has been provided:

■ User ID

■ User first name

■ User last name

■ User password

■ User e-mail address

Troubleshooting


Delete UserThe following table lists solutions to some commonly encountered Delete User errors.

Modify UserThe following table lists solutions to some commonly encountered Modify User errors.



User already exists in SAP EP


USER_ALREADY_EXIST

User with the assigned ID already exists in SAP Enterprise Portal. Assign a new ID to this user, and try again.



Could not create user


USER_CREATION_FAILED

User could not be created because of any one of the following reasons:

■ The Change Password function failed.

■ Values for mandatory fields have not been specified.


Oracle Identity Manager cannot delete a user.


Require information missing


SAPEP.INSUFFICIENT_INFORMATION

Ensure that the required information has been provided. In this case, the required information is the user ID.

Oracle Identity Manager cannot delete a user.


User does not exist


USER_DOESNOT_EXIST

The specified user does not exist in SAP Enterprise Portal.


Oracle Identity Manager cannot update new information about the user.


Could not modify user


USER_MODIFICATION_FAILED

Generic error. Review the log for more details.


Troubleshooting


Child DataThe following table lists solutions to some commonly encountered Child Data errors.

Oracle Identity Manager cannot update a user.


User does not exist


USER_DOESNOT_EXIST

The specified user does not exist in SAP Enterprise Portal. Check the user ID.


Oracle Identity Manager cannot add a user to a group.


Group does not exist


GROUP_DOESNOT_EXIST

The specified group does not exist in SAP Enterprise Portal. Check the name of the group.

Oracle Identity Manager cannot add a role to a user


Role does not exist


SAPEP.ROLE_DOESNOT_EXIST

The specified role for the user in Oracle Identity Manager does not exist in SAP Enterprise Portal. Check the role name.

Trying to add a duplicate value to a group or role.


Role has already been assigned to user

Selected group is already assigned to user


ROLE_ALREADY_EXISTS

GROUP_ALREADY_EXISTS

The user has already been added to the particular profile or role.


Known Issues 5-1

5Known Issues

The following are known issues associated with this release of the connector:

■ The configuration details of the SAP Enterprise Portal database are in plaintext in the sapum.properties file, the location of which is available in the IT resource definition. This poses a security threat.

■ The connector uses the UME APIs that communicate directly with the data sources on the target systems instead of going through the SAP system. These data sources could be SAP Base, the Database, or LDAP.

■ For certain functionality, such as Portal Role lookups, a SAP Enterprise Portal plug-in must be installed on the SAP Enterprise Portal server. Therefore, there is a dependency on the availability of the SAP Enterprise Portal server.

■ After the connector is deployed, the first task that can be performed is lookup reconciliation. If the size of the lookup field that is being reconciled is more than 100, then an exception may be thrown. To resolve this issue, you must change the size of the column in the LKV table by running the following commands on the database:

– ALTER TABLE LKV MODIFY (LKV_ENCODED VARCHAR2(300 BYTE));

– ALTER TABLE LKV MODIFY (LKV_DECODED VARCHAR2(300 BYTE));

■ Suppose a user is created in SAP Enterprise Portal and then locked. If this user is reconciled for the first time, then the user might not get locked because linking in Oracle Identity Manager takes place in an asynchronous manner. If the same user is reconciled for the second time, then the user gets locked.

■ During lookup fields reconciliation, the Role field is reconciled in English. This is because SAP Enterprise Portal does not allow you to specify the role ID in non-English languages, although a non-English language can be used for the role name.

■ The connector does not support Secure Network Communication (SNC) or Secure Sockets Layer (SSL).

■ Some Asian languages use multibyte character sets. If the character limit for the fields in the target system is specified in bytes, then the number of Asian-language characters that you can enter in a particular field may be less than the number of English-language characters that you can enter in the same field. The following example illustrates this limitation:

Suppose you can enter 50 characters of English in the User Last Name field of the target system. If you were using the Japanese language and if the character limit for the target system fields were specified in bytes, then you would not be able to enter more than 25 characters in the same field.

Index-1

Index

AAdapter Manager form, 3-7adapters, compiling, 3-6additional files, 2-1Administrative and User Console, 2-8, 3-3attributes

lookup fields reconciliation scheduled task, 3-4user reconciliation scheduled task, 3-5

Cchanging input locale, 2-4child data errors, 4-6clearing server cache, 2-5compiling adapters, 3-6configuring

change password functionality, 2-10connector for multiple installations of the target

system, 3-7Oracle Identity Manager server, 2-4

configuring connector, 3-1configuring provisioning, 3-6connection errors, 4-4connector files and directories

copying, 2-2description, 1-5destination directories, 2-2installation directory, 1-5, 1-6, 2-2

connector release number, determining, 1-6connector testing, 4-1connector XML files

See XML filesconnector, configuring, 3-1create user errors, 4-4creating scheduled tasks, 3-4

Ddefining

IT resources, 2-8scheduled tasks, 3-4

delete user errors, 4-5deploying

Web service portlet, 2-4Web services on the target system, 2-4

deployment requirements, 2-1Design Console, 3-4determining release number of connector, 1-6

Eenabling logging, 2-5errors, 4-3

child data, 4-6connection, 4-4create user, 4-4delete user, 4-5modify user, 4-5

external code files, 2-1, 2-2

Ffiles

additional, 2-1external code, 2-1See also XML files

files and directories of the connectorSee connector files and directories

functionality supported, 1-4functions available, 1-4

Gglobalization features, 1-4

Iimporting connector XML files, 2-7input locale, changing, 2-4issues, 5-1IT resources

defining, 2-8parameters, 2-8SAP EP IT Resource, 2-8

Llimitations, 5-1logging enabling, 2-5lookup fields reconciliation scheduled task, 3-4

Index-2

Mmodify user errors, 4-5multilanguage support, 1-4

OOracle Identity Manager Administrative and User

Console, 2-8, 3-3Oracle Identity Manager Design Console, 3-4Oracle Identity Manager server, configuring, 2-4

Pparameters of IT resources, 2-8problems, 4-3process tasks, 1-4property files, 1-5provisioning

fields, 1-3functions, 1-4module, 1-3

Rreconciliation

functions, 1-4module, 1-1

release number of connector, determining, 1-6requirements

infrastructure requirements, 2-1requirements for deploying, 2-1

Sscheduled tasks

attributes, 3-4defining, 3-4lookup fields reconciliation, 3-4user reconciliation, 3-5

server cache, clearing, 2-5supported

functionality, 1-4languages, 1-4releases of Oracle Identity Manager, 2-1target systems, 2-1

Ttarget system, multiple installations, 3-7target systems

deploying, 2-4supported, 2-1

test cases, 4-1testing the connector, 4-1testing utility, 4-1troubleshooting, 4-3

Uuser reconciliation scheduled task, 3-5

XXML files

importing, 2-7